vikunja/frontend
kolaente fa34e955c0 fix(auth): dedupe and retry token refresh so concurrent refreshes don't spuriously log out (#2863)
The access JWT lives only 10 minutes, so the SPA constantly refreshes it via
the single-use, rotation-on-use refresh cookie. The only concurrency guard was
the Web Locks API, which exists exclusively in secure contexts. On insecure
HTTP deployments there is no coordination, so triggers that fire close together
(initial load, proactive timer, focus handler, 401 interceptor) each POST with
the SAME cookie before the rotated Set-Cookie lands. One rotates successfully,
the other matches 0 rows and gets a 401, and the loser bounces the user to
/login even though the rotation actually succeeded.

A: add a module-level in-flight promise in refreshToken() so concurrent calls
in the same tab share one underlying refresh, in every context (HTTP included),
independent of navigator.locks. The existing Web Locks usage stays as the
secondary cross-tab layer for secure contexts.

D: retry the refresh exactly once before treating a failure as a real logout.
After a lost race the browser cookie is already the rotated valid one, so a
fresh second attempt succeeds; only if both fail do we log out. Implemented DRY
via refreshTokenWithRetry() used by renewToken() and the expired-JWT path in
checkAuth().

The happy path (single tab, secure context, no race) is unchanged.

Fixes #2863
2026-06-19 19:56:23 +02:00
..
docs fix: markdown spelling 2025-06-10 12:10:42 +02:00
originalMedia chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
public feat(time-tracking): add favicon indicator for active time tracking sessions (#2937) 2026-06-18 23:52:52 +02:00
scripts feat: add subsets for all supported languages 2025-08-17 23:11:30 +02:00
src fix(auth): dedupe and retry token refresh so concurrent refreshes don't spuriously log out (#2863) 2026-06-19 19:56:23 +02:00
tests test(time-tracking): add end-to-end coverage 2026-06-08 13:54:09 +00:00
.editorconfig chore(dev): insert final newline 2025-05-23 11:56:50 +02:00
.env.local.example chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
.gitignore feat: use offical vite plugin for sentry (#873) 2026-03-03 12:30:49 +01:00
.npmrc chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
.nvmrc chore(deps): update node.js to v24.13.0 2026-01-15 09:43:02 +01:00
.stylelintrc.json feat(frontend): upgrade Tailwind CSS from v3 to v4 2026-03-03 11:46:18 +01:00
CHANGELOG.md chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
LICENSE fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
README.md docs(frontend): fix env file example name 2025-06-10 12:10:42 +02:00
cliff.toml chore: move frontend files 2024-02-07 14:56:56 +01:00
embed.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
env.config.d.ts feat(ts): improve module declarations (#957) 2025-06-16 22:32:40 +02:00
env.d.ts chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
eslint.config.js refactor(frontend): replace for...in usages and forbid via lint rule 2026-04-15 11:44:47 +00:00
histoire.config.ts chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
index.html fix: respect allow_icon_changes config on web and desktop 2026-06-01 09:40:37 +00:00
netlify.toml feat(dev): use proxy server in dev mode (#3069) 2025-03-09 13:40:57 +00:00
package.json chore(deps): bump dompurify from 3.4.9 to 3.4.11 in /frontend 2026-06-18 21:25:47 +00:00
playwright.config.ts feat: make sidebar resizable (#1965) 2025-12-12 10:46:46 +00:00
pnpm-lock.yaml chore(deps): bump dompurify from 3.4.9 to 3.4.11 in /frontend 2026-06-18 21:25:47 +00:00
tsconfig.app.json feat: use offical vite plugin for sentry (#873) 2026-03-03 12:30:49 +01:00
tsconfig.config.json chore(deps): replace dev-dependencies (#1990) 2025-12-16 08:51:06 +00:00
tsconfig.json fix(ts): align with create-vue setup 2024-06-19 14:05:41 +00:00
tsconfig.vitest.json chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
vite.config.ts fix(frontend/vite): Configure vite dev proxy to handle frontend path 2026-04-20 14:28:23 +00:00

README.md

Web frontend for Vikunja

The todo app to organize your life.

License: AGPL-3.0-or-later Translation

This is the web frontend for Vikunja, written in Vue.js.

Take a look at our roadmap (hosted on Vikunja!) for a list of things we're currently working on!

For general information about the project, refer to the top-level readme of this repo.

Project setup

pnpm install

Development

Define backend server

You can develop the web front end against any accessible backend, including the demo at https://try.vikunja.io

In order to do so, you need to set the DEV_PROXY env variable. The recommended way to do so is to:

  • Copy .env.local.example as .env.local
  • Uncomment the DEV_PROXY line
  • Set the backend url you want to use

In the end, it should look like DEV_PROXY=https://try.vikunja.io if you work against the online demo backend.

Start dev server (compiles and hot-reloads)

pnpm run dev

Compiles and minifies for production

pnpm run build

Lints and fixes files

pnpm run lint

License

This project is licensed under the AGPL-3.0-or-later license. See the LICENSE file for details.